Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 8 Jan 2025 15:16:11 -0800
From:      Craig Leres <leres@freebsd.org>
To:        Gleb Popov <arrowd@FreeBSD.org>, ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   Re: git: 726b0eccd65b - main - devel/pcsc-lite: Update to 2.3.1
Message-ID:  <273aec36-c58b-4009-9eea-cea2b31ae38a@freebsd.org>
In-Reply-To: <202501051556.505FuNhY070016@gitrepo.freebsd.org>
References:  <202501051556.505FuNhY070016@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 1/5/25 07:56, Gleb Popov wrote:
> The branch main has been updated by arrowd:
> 
> URL:https://cgit.FreeBSD.org/ports/commit/? 
> id=726b0eccd65bff6517d8189b16fe622998302339
> 
> commit 726b0eccd65bff6517d8189b16fe622998302339
> Author:     Gleb Popov<arrowd@FreeBSD.org>
> AuthorDate: 2025-01-05 15:56:02 +0000
> Commit:     Gleb Popov<arrowd@FreeBSD.org>
> CommitDate: 2025-01-05 15:56:14 +0000
> 
>      devel/pcsc-lite: Update to 2.3.1

I had a involuntary reboot today and find that this version breaks my 
use of hardware tokens (feitian ePass2003 and yubikey) with ssh-agent. I 
can get things working again by reverting to 2.3.0 (and restarting pcscd).

The impression I get is that it's some kind of permission problem. When 
I insert a token and run "opensc-tool -l" as a user there is no output; 
when I run as root it shows the token.

I ran opensc-tool from ktrace and see it successfully connecting to 
pcscd but it does an ioctl and then it just gives up.

I ran pcscd under gdb and see that polkit is denying my access:

     00001487 [0x800e13500] ../src/auth.c:168:IsClientAuthorized() 
Process 3512 (user: 1020) is NOT authorized for action: access_pcsc
     00000091 [0x800e13500] ../src/winscard_svc.c:357:ContextThread() 
Rejected unauthorized PC/SC client

Indeed I can get things to work again if I run pcscd with 
--disable-polkit. Is this the right solution or am I missing polkit 
configuration? I found pkaction and it has something that looks reasonable:

     pkaction | fgrep pcsc
     org.debian.pcsc-lite.access_card
     org.debian.pcsc-lite.access_pcsc

But I guess:

     /usr/local/share/polkit-1/actions/org.debian.pcsc-lite.policy

is now missing something? Looks like IsClientAuthorized() is getting 
called with "access_pcsc" so I don't understand why it's not working.

Suggestions?

		Craig

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?273aec36-c58b-4009-9eea-cea2b31ae38a>